diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2017-09-30 14:06:22 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2017-09-30 14:06:22 -0300 |
commit | 23ac9f57b9b4c761cb8edc5bfa0c0de77ec89326 (patch) | |
tree | 3dab0ec66d67cd62b7e815fea4d62da481042b7b /research/hardened.md | |
parent | 9c21d35c535a4956960851d3c438d58af5f67d92 (diff) | |
download | blog-23ac9f57b9b4c761cb8edc5bfa0c0de77ec89326.tar.gz blog-23ac9f57b9b4c761cb8edc5bfa0c0de77ec89326.tar.bz2 |
Change extension to .md
Diffstat (limited to 'research/hardened.md')
-rw-r--r-- | research/hardened.md | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/research/hardened.md b/research/hardened.md new file mode 100644 index 0000000..e1974f9 --- /dev/null +++ b/research/hardened.md @@ -0,0 +1,38 @@ +[[!meta title="Hardened OS"]] +[[!tag research hardened grsecurity security]] + +grsecurity +---------- + +Basic install: + + sudo apt-get -t jessie-backports install linux-image-4.9.0-2-grsec-amd64 linux-image-grsec-amd64 + sudo apt-get install paxtest + sudo usermod -aG grsec-tpe `whoami` + +As root: + + echo "kernel.grsecurity.rwxmap_logging = 0" > /etc/sysctl.d/kernel.grsecurity.rwxmap_logging.conf + echo "kernel.grsecurity.grsec_lock = 1" > /etc/sysctl.d/kernel.grsecurity.grsec_lock.conf + +As regular user, after reboot: + + paxctl -cm /usr/bin/git-annex + paxctl -cm /usr/bin/qemu-img + paxctl -cm /usr/bin/qemu-system-x86_64 + +Further research +---------------- + +LXC unprivileged containers for GUI applications: + +* [LXC 1.0: GUI in containers [9/10] | Stéphane Graber's website](https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/). +* [Configuring Unprivileged LXC containers in Debian Jessie](https://myles.sh/configuring-lxc-unprivileged-containers-in-debian-jessie/). +* [LXC - Debian Wiki](https://wiki.debian.org/LXC). + +References +---------- + +* https://micahflee.com/2016/01/debian-grsecurity/ +* https://nixaid.com/grsec-in-docker/ +* https://hardenedlinux.github.io/ |